Security software biz Avira has apologised after its antivirus suites went haywire and disabled customers' Windows machines.
A service pack issued in Monday caused its ProActiv monitoring software to think vital operating system processes were riddled with malware and blocked them from running.
Users of the affected products - …

Re: muppets

Footgun

Re: muppets

What would you recommend AC? I have been using Avira Antivir Professional for Four Years and have never had a false-positive problem with their product. I seriously had to double take when I saw the article title.

Re: muppets

Re: muppets

We do.

We went through a thorough testing procedure before setting on an AV solution, and Avira had the lowest performance hit of any solution. We were getting a performance boost in some situations of 20-40% on slower PCs over McAfee and Sophos.

It's been great from an Enterprise perspective. Their central management suite works a hell of a lot better than McAfee's EPO, and the agents are much more seamless to deploy than with Sophos (where the agent installs seemed to always find a different random deployment problem each time).

We were really happy until it bricked all our PCs on Tuesday. That can happen to anyone (it happened to McAfee not long ago). Thankfully, it was pretty easy to recover from in our situation, and we were back up and running within 20 minutes.

Nice testing procedure

1) Don't test their updates against a single Windows PC before sending them out.

2) Don't have a whitelist of known-good checksums of critically important, unchanging and pretty prevalent Windows system files.

3) Don't have a way to safely undo mistakes.

4) Don't put out an update that only touches the minimum of what it needs and lets USERS flag stuff as bad or not because it knows better.

and Windows, apparently, doesn't have a way of stopping programs from bricking the operating system by deleting critical files. Nice to know. (And, no, I don't care if you ARE an administrator user or not - you shouldn't be able to do this programmatically without at least warning the user first!)

windows does try and protect it's files

Re: Nice testing procedure

Let's assume your crapware has just flagged a Microsoft-signed file as a virus. What now?

If you believe that the black hats have got their paws on the private keys used to sign Windows itself, you should just give up. You cannot protect a system if the bad guys wrote it.

If, on the other hand, you believe the signature is valid, that means the file is supposed to exist and its contents are exactly as Microsoft intended them to be. What do you think is going to happen when you delete it? Is it going to be a nice end-user experience? Is it going to be tomorrow's headline in the IT press?

Re: "it is files"

Re: Nice testing procedure

I agree that most operating systems don't. But that's no excuse if you're supposed to be making a "world-beating" operating system that's focused on security - because there's no barrier to making it work properly at all.

And MS is supposed to have their "system protection", etc.. How hard is it, precisely, to prevent certain files being deleted without being in a "system maintenance mode", or requiring an actual human's permission to do so (that was the whole POINT of the annoying UAC wasn't it?).

I'm really waiting for the day where your computer can be in either "usage" or a minimal "maintenance" mode and only in maintenance mode can you do updates, change bootloaders, play with critical files, etc. and only in usage mode can you log in as other users, browse the web, move files around, execute programs etc. And having NO PROGRAMMATIC WAY to switch between the two modes at all, and not have any processes survive the transition.

We have a sort of fake pseudo mentality that almost does this ("no running as root normally", "safe mode", etc.) but they never quite cover that the two modes of operation are distinctly different beasts.

Re: windows does try and protect it's files

It's a counter-intuitive rule, that one, but one we learn all the same. Perhaps people registering with El Reg could also be directed to a 'there, their, they're' lesson, and prove that they can disable their caps-lock key, too. It would get rid of one regular troll, at least....

Re: Nice testing procedure

"I'm really waiting for the day where your computer can be in either "usage" or a minimal "maintenance" mode and only in maintenance mode can you do updates, change bootloaders, play with critical files, etc"

If you want something like that try using a Linux/BSD variant setup to mount /sbin, /etc, /usr/sbin, and others as read only when in "usage" mode and read/write when in "maintenance" mode.

Or for for added security you could use a device with a physical read only switch for the drive/partition that holds those core parts. For standard user "usage" you only need write access to a /home/, /var, and couple of others. It's been a while, but I'm sure a quick google will confirm what can be mounted read only.

Used to run a firewall off of an old P1 with Debian running off of a CD but with /var mounted on a drive.

Re: Nice testing procedure

RE:"And MS is supposed to have their "system protection", etc.. How hard is it, precisely, to prevent certain files being deleted without being in a "system maintenance mode", or requiring an actual human's permission to do so (that was the whole POINT of the annoying UAC wasn't it?)."

1) I don't think a Windows service triggers a UAC prompt. If it did, it would break all sorts of Windows functions (including Windows update). It would be a similar situation if Unix required daemons to run under the restrictions imposed by sudo, or so I believe.

2) Requiring a user to switch an OS to a "maintenance mode" to update would be a good way of ensuring that a lot of users never update their OS. The likes of Microsoft, Apple and the various Linux vendors are having trouble ensuring people keep their Oses up to date with the mostly automatic systems in place now, how are they going to do that when people need to switch the os to a different mode? In the mean time, bad guys would merely find a way around the protection without switching to a separate mode..

Re: windows does try and protect it's files

Actually, I rather like the big dumb guy. Obviously I found him annoying the first day he arrived, but as soon as it became obvious that he was just trolling on every post it was rather fun to see how many people he could get each time.

Service pack zero?

@Gerard Krupa

It isn't suspiciously like malware behaviour, it is malware behavior absolutely outright. Avira should face a very large fine in line with actual malware suppliers as this has damaged far, far more computers utilising exactly the same methods.

That's a silly argument.

It is "malware behaviour" only in the same sense that everything that any software ever does is malware behaviour: creating and deleting files and changing their contents. The fact that it deleted the wrong files is a mistake, not "malice", which requires intent.

Whats new?

Not exactly the first time something like this has happened. I'm fairly sure I've heard instances in the past where all the big name AV brands have done something similar - maybe many years ago for some of them but they're all just as bad as each other.

Re: Whats new?

Brick?

No, it's bloody not bricked. Windows is not firmware. If it somehow overwrote the code on the motherboard's EEPROM, then it would be bricked. Until such time, it's a corrupt OS, i.e. soft and sod-all to do with hard or firm.

Re: Brick?

semantics.

If my ONLY machine is a Windows machine, and I cannot use it to repair itself, then it is, to all intents and purposes, bricked. Now this scenario is unlikely in any commercial setting - ideally *someone* would have an unaffected machine, from which a BootCD could be burned, to help fix the other machines. However, to a lowly home user, especially a non-tech savvy one, then having their machine borked could be a big deal.

Quite a few one-man-band IT specialists have created their own Linux Distro, which they leave with clients, who can boot from it, in the event of a disaster. They establish an OpenVPN link back to the mothership, where remote jiggery-pokery can save the say.

Re: Brick?

I agree. The word "brick" has come to have a very specific meaning--crippling a device (by overwriting firmware) to the extent that it is permanently unusable or so that only the factory can repair it. We would have the same complaint if a headline said "Bin Laden dead" when he'd only gotten a flesh wound.